fix: bump cryptography, marshmallow, and pip for Docker Scout CVEs

aarthy-dk · claude · aarthy-dk · commit 217d21280cd2 · 2026-03-12T00:07:07.000-04:00
- cryptography~=44.0.2 → ~=46.0.5 (HIGH CVE-2026-26007) - marshmallow~=3.19.0 → ~=3.26.2 (MEDIUM CVE-2025-68480) - Upgrade pip in BE Dockerfile runtime stage (MEDIUM CVE-2025-8869, LOW CVE-2026-1703) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/deploy/docker/observability-be.dockerfile b/deploy/docker/observability-be.dockerfile
@@ -32,7 +32,8 @@ RUN python3 -O -m pip install --no-deps /tmp/dk --prefix=/dk
 
 FROM ${BASE_IMAGE_URL}python:3.12.11-alpine3.22 AS runtime-image
 
-RUN apk update && apk upgrade && apk add --no-cache librdkafka=2.10.0-r0
+RUN apk update && apk upgrade && apk add --no-cache librdkafka=2.10.0-r0 \
+    && pip install --no-cache-dir --upgrade pip
 
 # Grab the pre-built app from the build-image. This way we don't have
 # excess laying around in the final image.
diff --git a/pyproject.toml b/pyproject.toml
@@ -26,12 +26,12 @@ dependencies = [
     "blinker~=1.9.0",
     "boltons~=23.0.0",
     "confluent-kafka==2.4.0",
-    "cryptography~=44.0.2",
+    "cryptography~=46.0.5",
     "flask~=3.1.0",
     "gunicorn~=23.0.0",
     "log-color==2.0.0",
     "Marshmallow-Peewee~=3.4.3",
-    "marshmallow~=3.19.0",
+    "marshmallow~=3.26.2",
     "marshmallow-union==0.1.15.post1",
     "msgpack==1.0.4",
     "oauthlib~=3.2",
